[MDEV-4326] Server crashes in append_query_string on 2nd execution of a PS with string in LIMIT via API Created: 2013-03-25  Updated: 2018-10-01  Resolved: 2013-05-13

Status: Closed
Project: MariaDB Server
Component/s: None
Affects Version/s: 10.0.1, 5.5.30, 5.1.67, 5.2.14, 5.3.12
Fix Version/s: 10.0.3, 5.5.31, 5.1.73, 5.2.15, 5.3.13

Type: Bug Priority: Critical
Reporter: Elena Stepanova Assignee: Oleksandr Byelkin
Resolution: Fixed Votes: 0
Labels: upstream

Attachments: File diff    
Issue Links:
Relates
relates to MDEV-17334 Crash on prepared SELECT statement Closed

 Description    

#3  <signal handler called>
 
#4  0x000000000077c664 in append_query_string (thd=0x32e7d88, csinfo=0x1, from=0x7f3c80021d70, to=0x7f3cff0cc660) at log_event.cc:602
 
#5  0x00000000005a5233 in Item_param::query_val_str (this=0x7f3c80021d60, thd=0x32e7d88, str=0x7f3cff0cc660) at item.cc:3156
 
#6  0x00000000007389e7 in insert_params_with_log (stmt=0x7f3c8001d7b8, null_array=0x3364682 "", read_pos=0x3364686 "", data_end=0x3364686 "", query=0x7f3cff0cc7b0) at sql_prepare.cc:807
 
#7  0x000000000073dce5 in Prepared_statement::set_parameters (this=0x7f3c8001d7b8, expanded_query=0x7f3cff0cc7b0, packet=0x3364684 "\001\061", packet_end=0x3364686 "") at sql_prepare.cc:3250
 
#8  0x000000000073ddc3 in Prepared_statement::execute_loop (this=0x7f3c8001d7b8, expanded_query=0x7f3cff0cc7b0, open_cursor=false, packet=0x3364682 "", packet_end=0x3364686 "") at sql_prepare.cc:3316
 
#9  0x000000000073c0da in mysqld_stmt_execute (thd=0x32e7d88, packet_arg=0x3364679 "\002", packet_length=13) at sql_prepare.cc:2519
 
#10 0x0000000000688dcf in dispatch_command (command=COM_STMT_EXECUTE, thd=0x32e7d88, packet=0x3364679 "\002", packet_length=13) at sql_parse.cc:1249
 
#11 0x0000000000687edc in do_command (thd=0x32e7d88) at sql_parse.cc:906
 
#12 0x0000000000684e73 in handle_one_connection (arg=0x32e7d88) at sql_connect.cc:1238
 
#13 0x00007f3cfe426e9a in start_thread (arg=0x7f3cff0cd700) at pthread_create.c:308

Stack trace from:

revision-id: sergii@pisem.net-20130320202051-m8qdk6zvcci9vr5s
 
revno: 3194
 
branch-nick: 5.1

Also reproducible on all of current MariaDB 5.1-10.0, MySQL 5.1-5.6.

Test case:

<?php
 
 
 
// Suppressing warning:
 
// PHP Warning: mysqli::mysqli(): Headers and client library minor version mismatch. Headers:50167 Library:50307
 
$mysqli = @new mysqli( "127.0.0.1", "root", "", "mysql");
 
if ($mysqli->connect_errno) {
 
echo "Failed to connect to MySQL: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error;
 
}
 
$result = mysqli_query( $mysqli, "SELECT VERSION()" );
 
print_r( mysqli_fetch_row( $result ) );
 
 
 
mysqli_query( $mysqli, "SET GLOBAL general_log = 1");
 
$result = mysqli_query( $mysqli, "SHOW GLOBAL VARIABLES LIKE 'general_log'" );
 
print_r( mysqli_fetch_row( $result ) );
 
 
 
 
 
if (!($stmti = $mysqli->prepare("SELECT * FROM mysql.user LIMIT ?"))) {
 
echo "Prepare failed: (" . $mysqli->errno . ") " . $mysqli->error;
 
}
 
 
 
$int = 1;
 
if (!$stmti->bind_param("i", $int)) {
 
echo "Binding parameters failed: (" . $stmti->errno . ") " . $stmti->error;
 
}
 
 
 
if (!$stmti->execute()) {
 
echo "Execute failed: (" . $stmti->errno . ") " . $stmti->error;
 
} else {
 
echo "Int Success\n";
 
}
 
 
 
if (!$stmti->execute()) {
 
echo "Execute failed: (" . $stmti->errno . ") " . $stmti->error;
 
} else {
 
echo "Int Success\n";
 
}
 
 
 
$stmti->free_result();
 
$stmti->close();
 
 
 
if (!($stmts = $mysqli->prepare("SELECT * FROM mysql.user LIMIT ?"))) {
 
echo "Prepare failed: (" . $mysqli->errno . ") " . $mysqli->error;
 
}
 
 
 
$str = '1';
 
if (!$stmts->bind_param("s", $str)) {
 
echo "Binding parameters failed: (" . $stmts->errno . ") " . $stmts->error;
 
}
 
 
 
if (!$stmts->execute()) {
 
echo "Execute failed: (" . $stmts->errno . ") " . $stmts->error;
 
} else {
 
echo "Str Success\n";
 
}
 
 
 
if (!$stmts->execute()) {
 
echo "Execute failed: (" . $stmts->errno . ") " . $stmts->error;
 
} else {
 
echo "Str Success\n";
 
}
 
 
 
$stmts->free_result();
 
$stmts->close();
 
?>



 Comments   
Comment by Elena Stepanova [ 2013-03-26 ]

general log:

/data/bzr/5.5/sql/mysqld, Version: 5.5.30-MariaDB-debug (Source distribution). started with:
Tcp port: 3306 Unix socket: /data/bzr/5.5/data/tmp/mysql.sock
Time Id Command Argument
130326 16:19:29 2 Query SHOW GLOBAL VARIABLES LIKE 'general_log'
2 Prepare SELECT * FROM mysql.user LIMIT ?
2 Execute SELECT * FROM mysql.user LIMIT 1
2 Execute SELECT * FROM mysql.user LIMIT 1
2 Close stmt
2 Prepare SELECT * FROM mysql.user LIMIT ?
2 Execute SELECT * FROM mysql.user LIMIT 1

Comment by Oleksandr Byelkin [ 2013-03-28 ]

Attached 'diff' is my unsuccessful attempt to repeat the bug via C API.

Comment by Elena Stepanova [ 2013-03-29 ]

Sanja,

I think you forgot

bind.buffer_type=MYSQL_TYPE_STRING;

after the second prepare.

Comment by Oleksandr Byelkin [ 2013-03-29 ]

Somehow string of zero length passed to the parameter binding inside server.

Comment by Elena Stepanova [ 2013-04-09 ]

As discussed, refiled it for MySQL as http://bugs.mysql.com/bug.php?id=68890

Upd:
They made it private and closed as a duplicate of bugs http://bugs.mysql.com/bug.php?id=68401 and http://bugs.mysql.com/bug.php?id=68606, both of which are also private and I don't have access to either.

Comment by Oleksandr Byelkin [ 2013-04-09 ]

fix committed.

Comment by Oleksandr Byelkin [ 2013-04-09 ]

please, review

Comment by Oleksandr Byelkin [ 2013-05-10 ]

pushed to 5.1

Comment by Sergei Golubchik [ 2013-05-13 ]

pushed in 5.1

Generated at Thu Feb 08 06:55:33 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.